ISO 27701, Clause 6.3 – Organisation of Information Security

ISO 27701 Controls and Clauses Explained

Book a demo

teamwork,together,professional,occupation,concept

Privacy protection should be administered as a concept, as well as an operational reality.

Organisations should consider privacy protection not just in terms of the systems they use to protect data, but also in the way that they manage the individuals who access PII, and how privacy protection is treated alongside other business functions, such as project management.

ISO 27701 6.3 outlines how organisations can managed privacy protection as an end-to-end process, encompassing the above factors.

What’s Covered in ISO 27701 Clause 6.3

ISO 27701 6.3 contains three sub-clauses that include privacy protection-specific guidance, adapted from three supporting clauses in ISO 27002:

  • ISO 27701 6.3.1.1 – Information security roles and responsibilities (References ISO 27002 control 5.2)
  • ISO 27701 6.3.1.2 – Segregation of duties (References ISO 27002 control 5.3)
  • ISO 27701 6.3.1.5 – Information security in project management (References ISO 27002 control 5.8)

Additional PIMS-specific guidance relating to the processing of PII can be found in clause 6.3.1.1, which is also linked to articles contained with GDPR legislation.

Please note that GDPR citations are for indicative purposes only. Organisations should scrutinise the legislation and make their own judgement on what parts of the law applies to them.

Achieve ISO 27701 Success

See our platform in action with a tailored hands-on session based on your needs and goals.

Book your demo
img

ISO 27701 Clause 6.3.1.1 – Information Security Roles and Responsibilities

References ISO 27002 Control 5.2

Organisations should define roles and responsibilities that are specific to individual functions contained within their privacy protection policy – both their general policy and topic-specific policies.

Individuals with specific responsibilities should be skilled enough to carry out privacy-related tasks, and should be offered continual support that maintains an acceptable level of competency.

Areas of responsibility should include:

  1. The protection of PII and any privacy-related assets.
  2. Executing privacy protection procedures.
  3. PII-related risk management activities, including remedial actions.
  4. Anyone who uses the organisations information and data, including the use of ICT assets.
  5. Individuals with top-level responsibility for privacy protection delegating tasks to others.

ISO acknowledges that each organisation is unique in the way that they process information. The above areas of responsibility should be accompanied by site and facility-specific guidelines that take into account real world factors affecting an organisations PII-processing operation.

All of the above responsibilities and security areas should be clearly documented and made available to all relevant staff members.

Additional PIMS-Specific Guidance

Organisations should nominate an individual that customers (and external authorities) can use as a dedicated point of contact for all PII-related matters (see ISO 27701 7.3.2).

In addition, organisations should delegate responsibility to one or more individuals for building an organisational privacy governance program that bolsters adherence to localised and national PII laws and regulations.

Applicable GDPR Articles

  • Article 27 – (1), (2)(a), (2)(b), (3), (4), (5)
  • Article 37 – (1)(a), (1)(b), (1)(c), (2), (3), (4), (5), (6), (7)
  • Article 38 – (1), (2), (3), (4), (5), (6)
  • Article 39 – (1)(a), (1)(b), (1)(c), (1)(d), (1)(e), (2)

Supporting Clauses

  • ISO 27701 Clause 7.3.2

ISO 27701 Clause 6.3.1.2 – Segregation of Duties

References ISO 27002 Control 5.3

In an organisation with lots of different privacy-related roles, responsibilities and duties can often come into conflict with one another.

Individuals can often carry out roles that have the potential to compromise PII, by virtue of them either being the sole authority, or lacking in management oversight.

Responsibilities should be segregated to ensure a more robust privacy protection operation. Examples of roles that may contain conflicts include:

  • Requesting, approving or implementing a change to the PIMS.
  • Making amendments to access rights, including RBAC.
  • Writing or amending code, or performing any kind of application development.
  • Utilising applications or databases that deal with the processing and/or storage of PII.
  • Drafting, approving and/or reviewing privacy protection controls.

Segregation controls should be developed with various factors in mind:

  • Preventing collusion.
  • Identifying conflicts.
  • Monitoring activities.
  • Creating audit trails.
  • Automating the process of identifying conflicts.

ISO acknowledges that smaller organisations may find it difficult to segregate roles, given their limited resources, but the whole concept of segregation should nevertheless be pursued as far as is commercially and operationally possible.

See ISMS.online
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

We’re cost-effective and quick

Discover how easy ISO 27701 is with ISMS.online
Get your quote

ISO 27701 Clause 6.3.1.5 – Information Security in Project Management

References ISO 27002 Control 5.8

As well as day-to-day recurring revenue generation, privacy protection should also extend to project implementation and management activities.

Projects often include the migration, creation and alteration of vast amounts of PII, and as such, should be given adequate consideration in order for organisations to maintain compliance with localised and national privacy-related laws and regulatory guidelines.

A “project” can be any activity that alters a standard way of working, or introduces new process and/or equipment and applications to an organisation.

Project management activities should ensure that:

  1. Privacy protection risks and requirements are given consideration early on in the project, and are maintained throughout the project’s lifecycle (see ISO 27002, clauses 5.32 and 8.26).
  2. Privacy protection is continually monitored and acted upon – by way of formal evaluations by suitable persons or governance bodies, and structured tests.
  3. All roles related to project-specific privacy protection are clearly defined.
  4. Any products or services to be delivered as part of the project should be created in accordance with the organisation’s published privacy standards.
  5. Privacy protection is bolstered through methods such as threat modelling, incident reviews, vulnerability thresholds and contingency planning.

Privacy protection efforts should not be limited to ICT projects. Organisations should consider a range of factors when determining specific PII-related requirements, including:

  • The unique information variables, including what specific data is involves, its security needs and the consequences of a breach or misuse.
  • The assurances that need to be sought in terms of confidentiality, integrity and availability.
  • The provisioning of access rights and authorisation protocols for internal and external personnel (including customers).
  • Setting clear expectations that inform users of their obligations.
  • The requirements of other internal security controls.
  • Any system-related actions that are required due to operational activities (e.g., transaction logging).
  • Maintaining adherence with legal, regulatory and contractual requirements.
  • Third-party contractual obligations that are aligned with the organisation’s own privacy standards.

Relevant ISO 27002 Controls

  • ISO 27002 5.32
  • ISO 27002 8.26

Supporting Controls From ISO 27002 and GDPR

ISO 27701 Clause IdentifierISO 27701 Clause NameISO 27002 ControlAssociated GDPR Articles
6.3.1.1Information Security Roles and Responsibilities5.2 – Information Security Roles and Responsibilities for ISO 27002Articles (27), (37), (38), (39)
6.3.1.2Segregation of Duties5.3 – Segregation of Duties for ISO 27002None
6.3.1.5Information Security in Project Management5.8 – Information Security in Project Management for ISO 27002None

How ISMS.online Helps

Our ISMS.online solutions make it easy for organisations to achieve project oversight, ensuring that the data controller and processor policies and procedures are in line with the ISO standard.

Our online system also ensures that system implementers have a single place for reference and collaboration.

Our Assured Results Method (ARM) enables you to be confident that you are ticking all the boxes you need to comply with the standard.

Find out more and get a hands on demonstration by booking a demo.

See how we can help you

Book a tailored hands-on session
based on your needs and goals
Book your demo

Trusted by companies everywhere
  • Simple and easy to use
  • Designed for ISO 27001 success
  • Saves you time and money
Book your demo
img

Explore ISMS.online's platform with a self-guided tour - Start Now